diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e1a20eccf9c..cafe44d8793 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -185,6 +185,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS categorization field mappings in suricata module. {issue}16181[16181] {pull}16843[16843] - Release ActiveMQ module as GA. {issue}17047[17047] {pull}17049[17049] - Improve ECS categorization field mappings in iptables module. {issue}16166[16166] {pull}16637[16637] +- Add Filebeat Okta module. {pull}16362[16362] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 38e55e70f10..38670881f3d 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -48,6 +48,7 @@ grouped in the following categories: * <> * <> * <> +* <> * <> * <> * <> @@ -21455,6 +21456,574 @@ alias to: source.geo.region_iso_code -- +[[exported-fields-okta]] +== Okta fields + +Module for handling system logs from Okta. + + + +[float] +=== okta + +Fields from Okta. + + + +*`okta.uuid`*:: ++ +-- +The unique identifier of the Okta LogEvent. + + +type: keyword + +-- + +*`okta.event_type`*:: ++ +-- +The type of the LogEvent. + + +type: keyword + +-- + +*`okta.version`*:: ++ +-- +The version of the LogEvent. + + +type: keyword + +-- + +*`okta.severity`*:: ++ +-- +The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. + + +type: keyword + +-- + +*`okta.display_message`*:: ++ +-- +The display message of the LogEvent. + + +type: keyword + +-- + +[float] +=== actor + +Fields that let you store information of the actor for the LogEvent. + + + +*`okta.actor.id`*:: ++ +-- +Identifier of the actor. + + +type: keyword + +-- + +*`okta.actor.type`*:: ++ +-- +Type of the actor. + + +type: keyword + +-- + +*`okta.actor.alternate_id`*:: ++ +-- +Alternate identifier of the actor. + + +type: keyword + +-- + +*`okta.actor.display_name`*:: ++ +-- +Display name of the actor. + + +type: keyword + +-- + +[float] +=== client + +Fields that let you store information about the client of the actor. + + + +*`okta.client.ip`*:: ++ +-- +The IP address of the client. + + +type: ip + +-- + +[float] +=== user_agent + +Fields about the user agent information of the client. + + + +*`okta.client.user_agent.raw_user_agent`*:: ++ +-- +The raw informaton of the user agent. + + +type: keyword + +-- + +*`okta.client.user_agent.os`*:: ++ +-- +The OS informaton. + + +type: keyword + +-- + +*`okta.client.user_agent.browser`*:: ++ +-- +The browser informaton of the client. + + +type: keyword + +-- + +*`okta.client.zone`*:: ++ +-- +The zone information of the client. + + +type: keyword + +-- + +*`okta.client.device`*:: ++ +-- +The information of the client device. + + +type: keyword + +-- + +*`okta.client.id`*:: ++ +-- +The identifier of the client. + + +type: keyword + +-- + +[float] +=== outcome + +Fields that let you store information about the outcome. + + + +*`okta.outcome.reason`*:: ++ +-- +The reason of the outcome. + + +type: keyword + +-- + +*`okta.outcome.result`*:: ++ +-- +The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. + + +type: keyword + +-- + +*`okta.target`*:: ++ +-- +The list of targets. + + +type: array + +-- + +[float] +=== transaction + +Fields that let you store information about related transaction. + + + +*`okta.transaction.id`*:: ++ +-- +Identifier of the transaction. + + +type: keyword + +-- + +*`okta.transaction.type`*:: ++ +-- +The type of transaction. Must be one of "WEB", "JOB". + + +type: keyword + +-- + +[float] +=== debug_context + +Fields that let you store information about the debug context. + + + +[float] +=== debug_data + +The debug data. + + + +*`okta.debug_context.debug_data.device_fingerprint`*:: ++ +-- +The fingerprint of the device. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.request_id`*:: ++ +-- +The identifier of the request. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.request_uri`*:: ++ +-- +The request URI. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.threat_suspected`*:: ++ +-- +Threat suspected. + + +type: keyword + +-- + +*`okta.debug_context.debug_data.url`*:: ++ +-- +The URL. + + +type: keyword + +-- + +[float] +=== authentication_context + +Fields that let you store information about authentication context. + + + +*`okta.authentication_context.authentication_provider`*:: ++ +-- +The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. + + +type: keyword + +-- + +*`okta.authentication_context.authentication_step`*:: ++ +-- +The authentication step. + + +type: integer + +-- + +*`okta.authentication_context.credential_provider`*:: ++ +-- +The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. + + +type: keyword + +-- + +*`okta.authentication_context.credential_type`*:: ++ +-- +The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. + + +type: keyword + +-- + +*`okta.authentication_context.issuer`*:: ++ +-- +The information about the issuer. + + +type: array + +-- + +*`okta.authentication_context.external_session_id`*:: ++ +-- +The session identifer of the external session if any. + + +type: keyword + +-- + +*`okta.authentication_context.interface`*:: ++ +-- +The interface used. e.g., Outlook, Office365, wsTrust + + +type: keyword + +-- + +[float] +=== security_context + +Fields that let you store information about security context. + + + +[float] +=== as + +The autonomous system. + + + +*`okta.security_context.as.number`*:: ++ +-- +The AS number. + + +type: integer + +-- + +[float] +=== organization + +The organization that owns the AS number. + + + +*`okta.security_context.as.organization.name`*:: ++ +-- +The organization name. + + +type: keyword + +-- + +*`okta.security_context.isp`*:: ++ +-- +The Internet Service Provider. + + +type: keyword + +-- + +*`okta.security_context.domain`*:: ++ +-- +The domain name. + + +type: keyword + +-- + +*`okta.security_context.is_proxy`*:: ++ +-- +Whether it is a proxy or not. + + +type: boolean + +-- + +[float] +=== request + +Fields that let you store information about the request, in the form of list of ip_chain. + + + +[float] +=== ip_chain + +List of ip_chain objects. + + + +*`okta.request.ip_chain.ip`*:: ++ +-- +IP address. + + +type: ip + +-- + +*`okta.request.ip_chain.version`*:: ++ +-- +IP version. Must be one of V4, V6. + + +type: keyword + +-- + +*`okta.request.ip_chain.source`*:: ++ +-- +Source information. + + +type: keyword + +-- + +[float] +=== geographical_context + +Geographical information. + + + +*`okta.request.ip_chain.geographical_context.city`*:: ++ +-- +The city. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.state`*:: ++ +-- +The state. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.postal_code`*:: ++ +-- +The postal code. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.country`*:: ++ +-- +The country. + +type: keyword + +-- + +*`okta.request.ip_chain.geographical_context.geolocation`*:: ++ +-- +Geolocation information. + + +type: geo_point + +-- + [[exported-fields-osquery]] == Osquery fields diff --git a/filebeat/docs/images/filebeat-okta-dashboard.png b/filebeat/docs/images/filebeat-okta-dashboard.png new file mode 100644 index 00000000000..6a28b4363b0 Binary files /dev/null and b/filebeat/docs/images/filebeat-okta-dashboard.png differ diff --git a/filebeat/docs/modules/okta.asciidoc b/filebeat/docs/modules/okta.asciidoc new file mode 100644 index 00000000000..8c81f6c9c5f --- /dev/null +++ b/filebeat/docs/modules/okta.asciidoc @@ -0,0 +1,32 @@ +//// +This file is generated! See scripts/docs_collector.py +//// + +[[filebeat-module-okta]] +[role="xpack"] + +:modulename: okta +:has-dashboards: false + +== Okta module + +beta[] + +This is a filebeat module for retrieving system logs from Okta (www.okta.com) via API. + +:has-dashboards!: + +This module comes with a sample dashboard. For example: + +[role="screenshot"] +image::./images/filebeat-okta-dashboard.png[] + +:modulename!: + + +[float] +=== Fields + +For a description of each field in the module, see the +<> section. + diff --git a/filebeat/docs/modules_list.asciidoc b/filebeat/docs/modules_list.asciidoc index f97dff34a0d..ff2473fb9c6 100644 --- a/filebeat/docs/modules_list.asciidoc +++ b/filebeat/docs/modules_list.asciidoc @@ -29,6 +29,7 @@ This file is generated! See scripts/docs_collector.py * <> * <> * <> + * <> * <> * <> * <> @@ -70,6 +71,7 @@ include::modules/mysql.asciidoc[] include::modules/nats.asciidoc[] include::modules/netflow.asciidoc[] include::modules/nginx.asciidoc[] +include::modules/okta.asciidoc[] include::modules/osquery.asciidoc[] include::modules/panw.asciidoc[] include::modules/postgresql.asciidoc[] diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 188c7485f94..ea4c94844a0 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -695,6 +695,22 @@ filebeat.modules: # # Filebeat will choose the paths depending on your OS. # #var.paths: +#--------------------------------- Okta Module --------------------------------- +- module: okta + system: + enabled: true + # API key to access Okta + #var.api_key + + # URL of the Okta REST API + #var.url + + # Disable SSL verification + #var.ssl: |- + # { + # "verification_mode": "none" + # } + #------------------------------- Osquery Module ------------------------------- - module: osquery result: diff --git a/x-pack/filebeat/include/list.go b/x-pack/filebeat/include/list.go index 7970538c0c4..ed6110393f7 100644 --- a/x-pack/filebeat/include/list.go +++ b/x-pack/filebeat/include/list.go @@ -28,6 +28,7 @@ import ( _ "github.com/elastic/beats/v7/x-pack/filebeat/module/misp" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/mssql" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/netflow" + _ "github.com/elastic/beats/v7/x-pack/filebeat/module/okta" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/panw" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/rabbitmq" _ "github.com/elastic/beats/v7/x-pack/filebeat/module/suricata" diff --git a/x-pack/filebeat/module/okta/README.md b/x-pack/filebeat/module/okta/README.md new file mode 100644 index 00000000000..55cbcf6e926 --- /dev/null +++ b/x-pack/filebeat/module/okta/README.md @@ -0,0 +1,24 @@ +# Okta module + +## Caveats + +* Module is to be considered _beta_. + +## How to try the module from distribution install + + +``` +./filebeat setup --modules=okta -e --dashboards +``` + +Enable the Okta module + +``` +./filebeat modules enable okta +``` + +Start Filebeat + +``` +./filebeat -e +``` diff --git a/x-pack/filebeat/module/okta/_meta/config.yml b/x-pack/filebeat/module/okta/_meta/config.yml new file mode 100644 index 00000000000..31853e0130d --- /dev/null +++ b/x-pack/filebeat/module/okta/_meta/config.yml @@ -0,0 +1,14 @@ +- module: okta + system: + enabled: true + # API key to access Okta + #var.api_key + + # URL of the Okta REST API + #var.url + + # Disable SSL verification + #var.ssl: |- + # { + # "verification_mode": "none" + # } diff --git a/x-pack/filebeat/module/okta/_meta/docs.asciidoc b/x-pack/filebeat/module/okta/_meta/docs.asciidoc new file mode 100644 index 00000000000..9c6b91d6646 --- /dev/null +++ b/x-pack/filebeat/module/okta/_meta/docs.asciidoc @@ -0,0 +1,19 @@ +[role="xpack"] + +:modulename: okta +:has-dashboards: false + +== Okta module + +beta[] + +This is a filebeat module for retrieving system logs from Okta (www.okta.com) via API. + +:has-dashboards!: + +This module comes with a sample dashboard. For example: + +[role="screenshot"] +image::./images/filebeat-okta-dashboard.png[] + +:modulename!: diff --git a/x-pack/filebeat/module/okta/_meta/fields.yml b/x-pack/filebeat/module/okta/_meta/fields.yml new file mode 100644 index 00000000000..51d1fd723e4 --- /dev/null +++ b/x-pack/filebeat/module/okta/_meta/fields.yml @@ -0,0 +1,11 @@ +- key: okta + title: Okta + description: > + Module for handling system logs from Okta. + fields: + - name: okta + type: group + default_field: false + description: > + Fields from Okta. + fields: diff --git a/x-pack/filebeat/module/okta/_meta/images/filebeat-okta-dashboard.png b/x-pack/filebeat/module/okta/_meta/images/filebeat-okta-dashboard.png new file mode 100644 index 00000000000..6a28b4363b0 Binary files /dev/null and b/x-pack/filebeat/module/okta/_meta/images/filebeat-okta-dashboard.png differ diff --git a/x-pack/filebeat/module/okta/_meta/kibana/7/dashboard/749203a0-67b1-11ea-a76f-bf44814e437d.json b/x-pack/filebeat/module/okta/_meta/kibana/7/dashboard/749203a0-67b1-11ea-a76f-bf44814e437d.json new file mode 100644 index 00000000000..0d61b5acfaf --- /dev/null +++ b/x-pack/filebeat/module/okta/_meta/kibana/7/dashboard/749203a0-67b1-11ea-a76f-bf44814e437d.json @@ -0,0 +1,680 @@ +{ + "objects": [ + { + "attributes": { + "description": "Filebeat Okta module Kibana dashboard", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "hiddenLayers": [], + "isLayerTOCOpen": false, + "mapCenter": { + "lat": 26.54701, + "lon": -44.69098, + "zoom": 2.75 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 22, + "i": "8013824b-5a66-494c-acc5-3df8b7678879", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "8013824b-5a66-494c-acc5-3df8b7678879", + "panelRefName": "panel_0", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "c6a66fe5-21a2-4308-8563-d4a7f5135d25", + "w": 10, + "x": 0, + "y": 22 + }, + "panelIndex": "c6a66fe5-21a2-4308-8563-d4a7f5135d25", + "panelRefName": "panel_1", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "195db901-dc2b-4b7d-80c3-742e2712ac2a", + "w": 9, + "x": 10, + "y": 22 + }, + "panelIndex": "195db901-dc2b-4b7d-80c3-742e2712ac2a", + "panelRefName": "panel_2", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "dc5128e2-0b4d-4dd5-bbc2-624f64467a77", + "w": 19, + "x": 29, + "y": 22 + }, + "panelIndex": "dc5128e2-0b4d-4dd5-bbc2-624f64467a77", + "panelRefName": "panel_3", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 11, + "i": "a25a43ed-3262-486c-a482-1fac52f26128", + "w": 10, + "x": 19, + "y": 22 + }, + "panelIndex": "a25a43ed-3262-486c-a482-1fac52f26128", + "panelRefName": "panel_4", + "version": "8.0.0-SNAPSHOT" + }, + { + "embeddableConfig": {}, + "gridData": { + "h": 16, + "i": "c0d5bac3-7e50-4ef9-a401-5a596ec84ee9", + "w": 48, + "x": 0, + "y": 33 + }, + "panelIndex": "c0d5bac3-7e50-4ef9-a401-5a596ec84ee9", + "panelRefName": "panel_5", + "version": "8.0.0-SNAPSHOT" + } + ], + "timeRestore": false, + "title": "[Filebeat Okta] Overview", + "version": 1 + }, + "id": "749203a0-67b1-11ea-a76f-bf44814e437d", + "migrationVersion": { + "dashboard": "7.3.0" + }, + "references": [ + { + "id": "281ca660-67b1-11ea-a76f-bf44814e437d", + "name": "panel_0", + "type": "map" + }, + { + "id": "545d6a00-67ae-11ea-a76f-bf44814e437d", + "name": "panel_1", + "type": "visualization" + }, + { + "id": "7c6ec080-67c6-11ea-a76f-bf44814e437d", + "name": "panel_2", + "type": "visualization" + }, + { + "id": "cda883a0-67c6-11ea-a76f-bf44814e437d", + "name": "panel_3", + "type": "visualization" + }, + { + "id": "0a784b30-67c7-11ea-a76f-bf44814e437d", + "name": "panel_4", + "type": "visualization" + }, + { + "id": "21028750-67ca-11ea-a76f-bf44814e437d", + "name": "panel_5", + "type": "search" + } + ], + "type": "dashboard", + "updated_at": "2020-03-17T00:05:24.763Z", + "version": "Wzk5LDJd" + }, + { + "attributes": { + "bounds": { + "coordinates": [ + [ + [ + -138.87786, + 64.23743 + ], + [ + -138.87786, + -28.21681 + ], + [ + 49.49591, + -28.21681 + ], + [ + 49.49591, + 64.23743 + ], + [ + -138.87786, + 64.23743 + ] + ] + ], + "type": "Polygon" + }, + "description": "", + "layerListJSON": "[{\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true},\"id\":\"6908e81b-1695-4445-aee4-8bc8c9f65600\",\"label\":null,\"minZoom\":0,\"maxZoom\":24,\"alpha\":1,\"visible\":true,\"style\":{},\"type\":\"VECTOR_TILE\"},{\"sourceDescriptor\":{\"id\":\"4b8bd321-4b90-4d97-83e0-2b12bf091f66\",\"geoField\":\"client.geo.location\",\"filterByMapBounds\":false,\"type\":\"ES_SEARCH\",\"tooltipProperties\":[],\"sortField\":\"\",\"sortOrder\":\"desc\",\"useTopHits\":false,\"topHitsSize\":1,\"applyGlobalQuery\":false,\"indexPatternRefName\":\"layer_1_source_index_pattern\"},\"style\":{\"type\":\"VECTOR\",\"properties\":{\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"airfield\"}},\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#54B399\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#41937c\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":6}},\"iconOrientation\":{\"type\":\"STATIC\",\"options\":{\"orientation\":0}},\"labelText\":{\"type\":\"STATIC\",\"options\":{\"value\":\"\"}},\"labelColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#000000\"}},\"labelSize\":{\"type\":\"STATIC\",\"options\":{\"size\":14}},\"labelBorderColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"labelBorderSize\":{\"options\":{\"size\":\"SMALL\"}}},\"isTimeAware\":true},\"id\":\"dc52e707-92d7-4de7-becf-a3a8bfaa2c2d\",\"label\":\"Okta \",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.75,\"visible\":true,\"type\":\"VECTOR\",\"query\":{\"query\":\"event.dataset : \\\"okta.system\\\" \",\"language\":\"kuery\"}}]", + "mapStateJSON": "{\"zoom\":2.75,\"center\":{\"lon\":-44.69098,\"lat\":26.54701},\"timeFilters\":{\"from\":\"now-15w\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":false,\"interval\":0},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"filebeat-*\",\"key\":\"event.dataset\",\"negate\":false,\"params\":{\"query\":\"okta.system\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.dataset\":\"okta.system\"}}}]}", + "title": "Geolocation [Filebeat Okta]", + "uiStateJSON": { + "isLayerTOCOpen": true, + "openTOCDetails": [] + } + }, + "id": "281ca660-67b1-11ea-a76f-bf44814e437d", + "migrationVersion": { + "map": "7.7.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "layer_1_source_index_pattern", + "type": "index-pattern" + } + ], + "type": "map", + "updated_at": "2020-03-16T18:08:36.806Z", + "version": "WzYyLDJd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "okta.system" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "okta.system" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Event Outcome [Filebeat Okta]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "event.outcome", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Event Outcome [Filebeat Okta]", + "type": "pie" + } + }, + "id": "545d6a00-67ae-11ea-a76f-bf44814e437d", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-03-16T17:59:26.029Z", + "version": "WzU5LDJd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "okta.system" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "okta.system" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Transaction Types [Filebeat Okta]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "okta.transaction.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Transaction Types [Filebeat Okta]", + "type": "pie" + } + }, + "id": "7c6ec080-67c6-11ea-a76f-bf44814e437d", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-03-16T20:41:17.703Z", + "version": "WzY3LDJd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": {} + }, + "title": "Time Series [Filebeat Okta]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [], + "params": { + "axis_formatter": "number", + "axis_position": "left", + "axis_scale": "normal", + "bar_color_rules": [ + { + "id": "abd68650-67c6-11ea-8c7d-ed286611413e" + } + ], + "default_index_pattern": "filebeat-*", + "default_timefield": "@timestamp", + "id": "61ca57f0-469d-11e7-af02-69e470af7417", + "index_pattern": "", + "interval": "", + "isModelInvalid": false, + "series": [ + { + "axis_position": "right", + "chart_type": "line", + "color": "#68BC00", + "fill": 0.5, + "filter": { + "language": "kuery", + "query": "event.dataset : \"okta.system\"" + }, + "formatter": "number", + "id": "61ca57f1-469d-11e7-af02-69e470af7417", + "line_width": 1, + "metrics": [ + { + "id": "61ca57f2-469d-11e7-af02-69e470af7417", + "type": "count" + } + ], + "point_size": 1, + "separate_axis": 0, + "split_mode": "everything", + "stacked": "none" + } + ], + "show_grid": 1, + "show_legend": 1, + "time_field": "", + "type": "timeseries" + }, + "title": "Time Series [Filebeat Okta]", + "type": "metrics" + } + }, + "id": "cda883a0-67c6-11ea-a76f-bf44814e437d", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [], + "type": "visualization", + "updated_at": "2020-03-16T20:43:33.977Z", + "version": "WzcwLDJd" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "okta.system" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "okta.system" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "Actor Types [Filebeat Okta]", + "uiStateJSON": {}, + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "okta.actor.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "type": "pie" + }, + "title": "Actor Types [Filebeat Okta]", + "type": "pie" + } + }, + "id": "0a784b30-67c7-11ea-a76f-bf44814e437d", + "migrationVersion": { + "visualization": "7.4.2" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "visualization", + "updated_at": "2020-03-16T20:45:16.003Z", + "version": "WzcyLDJd" + }, + { + "attributes": { + "columns": [ + "_source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.dataset", + "negate": false, + "params": { + "query": "okta.system" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.dataset": "okta.system" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "event.outcome", + "negate": false, + "params": { + "query": "FAILURE" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.outcome": "FAILURE" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ], + [ + "event.created", + "desc" + ] + ], + "title": "Okta Failure Events", + "version": 1 + }, + "id": "21028750-67ca-11ea-a76f-bf44814e437d", + "migrationVersion": { + "search": "7.4.0" + }, + "references": [ + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "filebeat-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "updated_at": "2020-03-16T21:11:52.041Z", + "version": "Wzg5LDJd" + } + ], + "version": "8.0.0-SNAPSHOT" +} diff --git a/x-pack/filebeat/module/okta/fields.go b/x-pack/filebeat/module/okta/fields.go new file mode 100644 index 00000000000..24c40aebc4f --- /dev/null +++ b/x-pack/filebeat/module/okta/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package okta + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("filebeat", "okta", asset.ModuleFieldsPri, AssetOkta); err != nil { + panic(err) + } +} + +// AssetOkta returns asset data. +// This is the base64 encoded gzipped contents of module/okta. +func AssetOkta() string { + return "eJzsWk1zo7oS3c+v6Jo1N4v3cRdZvCrGkAw3tnEBjisrSoG2rTcY+UoiGd9f/0p82BhkIDZ5dRfDzkg653Sr1WoJ/wY/8HAP7IckXwAklQneg1v8ilFEnO4lZek9/OcLAMCMxVmCsGYctiSNE5puQByExB0kbCNgzdkuH373BWBNMYnFfT7wN0jJDo9E6pGHPd7DhrNsX76JcU2yRIb5wHtYk0TgsamlRT0POcU5rXrq1HX6LKPx8eXR3uXSsWpvxZZxeQ/BFiFL6Z8ZAo0xlXRNkQNbg9xiTgZTtrHfMJV3tcEXhKrnOsDCTT/w8M74SXvLMlTjQtW5bV+OCcF5W81KNarScYVNfcMHWvCGXFCWtuU/txpq2stRN8gfgDDQAoFvyKk8tE3w2y01G6pxNxhxEQJmmZDwisDSfJIs+9vy0QBn/uAasDK9uQGMg+15rneFxTEV+4Qcwh0KQTaa0LOKDjBrdajZX6JAiXKDGz6ANNBCEknG23aZjdelNWU+KmnzsXmyvMKcEkpuiYQEJRxYBkIyjkDTNeM7ImtB28/UzragyZO1psoBZwnzktt6bAFwWgkvl3zXxdxIZldzB7X81M9KEok8JRLDcSw3KzxN0u9XUy0w9WsMNdV6VHh9KioNUUIxle01MMnfw8VVQF5ZJnOGAuEC3wirYDDT9atgr/F+42V3EG4RnAWQOOYojhmikHt31lfDngnkIdmcz0IPYWsSFAjkILoMolOi91bbX3DWWonm5D28ILwrfHvMKjzJyfvRiJMNJwsverRWiYpxJbl+TZF2TZ+4Xzl7F8jHFVCCavzSnFtNhP3F0nFy7RZzrCEhpkt3+Eaj0YRc1FDydEoZJ/vnMlp5/6InjsGZyYjtNPWUWzR0FTbnSXhw5iwpPykva9CvzsUciTg7Dtw0OwVa5dCWTi2/yBI5Hr9Ca/I3yvZ78JeTie37BjyYznTp2Qb4T85iYVsGmNOpuzLAsucvBky+m9OpPX+0DVjOn+buat4RZpLwDWp29qD5vlasJ1QUavM+4gPFecfIwn+Ec3L4VZ3+qk4/Up1KTlJBIqm9Ogi0jVdkSI4JkRjX2T4hU/aw/O3OcFqdn7lW6rdNNe7mJcfXlf3tqwFf/3C/fe0InRhfs00YsVTiT00WtFQzTFrNV26wORuUbJ+0zV7kuDp0Ch/F5HhtO3CaCiVq3HVnCm3dXJRt4ZqmG+R7Tsc+VtSAqxDvqBTrFcGfGQrZzMk362nn5JJpoJ6M05HPXQUwLD2nR4LcciQyFJnYYyRxVMcoZDgi9wjJeDKuD5betCOnkExu1aRF+dK8nFzMs37jZJlz7k9MNf1EV+ebhv/2nL3RuHFUHulIeEqbDXsq0ta+4j4FZmgug+/2PHAmZuC483Dhuc+OZXsGmJPAebZDy/HsSeB6LwZMLXNhwINt2V7e2QDfnTjmVFXxqstxcHfNd+4SIVF7GZVK3DQc1euOhuEKulNKxDFPSST5P8zMiaxnRiaebakZMae12fB80wD/ZWbOA3tiwKPrPk5tA6yla8DL8pvzZL8MNXXM8qXTTIXbNjFYGODPfAMWpu+vXE8d+Xzf9oqIclamAfbMdKYGuCo2/2HAH6vAgInq8aDC1DZg4dmh/930bCv0X2YzO/CcSfhkvxilB6eOPQ9C3/b9HNSyn52JHS4tx+q+JBEi+2jM6ZdggaSrFZqnwoG1wufvxU3J+n2wGTs3C6l/bu2QcPww/DM/4SWhQCFU/hjvYqtErFxz8kzFeeqxBpIeukMplcjXZMzbvxIQMoHxHeDd5s4AN5MJYz8McNdrGuE/f/+3Ae8i4JmQlzd1gVHGqTxc3s79ssc4G3nF94lbeBfF9Zu3gEHF/pB9iaVsxzJR/r3k7uMJIM12rxfu2HV75aC1Z/olbM+qZ3xDUvoXaVw8dPlkEH8dt5hn9p6KfM1ppOmdpZFdc1rzJgd6ElavbI1wRdKzregqnKuygKOyQIoSfOTqJAeLqpToPPWyHaGjXTEXaEPMVlXVz4OG95WxBEk6nHe1RblFDlQCFUAgBwbGIWVdHx7KA147wXmthiuvQVon2FEvQEp0A2ia/1Z91K5U3T3TfRhtCR3pWq0EGz4r04YMYK//xej8LvzGOxLaTCvab9W9y/b0rbon1bX/tgW31TjOosJslcLP/zLg+fceQYJlPBqx5vJzvHq89QjYINtwst/SiCSaimEA5WMNQU9ct0q3l3SGSu2Qc/6ftH5fNaSr7KYwLnikNimSyJs2lrzeVCC9VHsmZO74+GbCAgoUVC9txLJU8tu9WcD00m2QJSzSFRgDduTH0+Cu8DoGGLJwz2gqv/wvAAD//xMyotI=" +} diff --git a/x-pack/filebeat/module/okta/module.yml b/x-pack/filebeat/module/okta/module.yml new file mode 100644 index 00000000000..ecdcb3a47ff --- /dev/null +++ b/x-pack/filebeat/module/okta/module.yml @@ -0,0 +1,3 @@ +dashboards: +- id: 749203a0-67b1-11ea-a76f-bf44814e437d + file: 749203a0-67b1-11ea-a76f-bf44814e437d.json diff --git a/x-pack/filebeat/module/okta/system/_meta/fields.yml b/x-pack/filebeat/module/okta/system/_meta/fields.yml new file mode 100644 index 00000000000..5bf5ee9c8d5 --- /dev/null +++ b/x-pack/filebeat/module/okta/system/_meta/fields.yml @@ -0,0 +1,369 @@ +- name: uuid + title: UUID + short: The unique identifier of the Okta LogEvent. + description: > + The unique identifier of the Okta LogEvent. + type: keyword + +- name: event_type + title: Event Type + short: The type of the LogEvent. + description: > + The type of the LogEvent. + type: keyword + +- name: version + title: Version + short: The version of the LogEvent. + description: > + The version of the LogEvent. + type: keyword + +- name: severity + title: Severity + short: The severity of the LogEvent. + description: > + The severity of the LogEvent. Must be one of DEBUG, INFO, WARN, or ERROR. + type: keyword + +- name: display_message + title: Display Message + short: The display message of the LogEvent. + description: > + The display message of the LogEvent. + type: keyword + +- name: actor + title: Actor + short: Fields of the actor for the LogEvent. + description: > + Fields that let you store information of the actor for the LogEvent. + type: group + fields: + + - name: id + type: keyword + description: > + Identifier of the actor. + + - name: type + type: keyword + description: > + Type of the actor. + + - name: alternate_id + type: keyword + description: > + Alternate identifier of the actor. + + - name: display_name + type: keyword + description: > + Display name of the actor. + +- name: client + title: Client + short: Fields about the client of the actor. + description: > + Fields that let you store information about the client of the actor. + type: group + fields: + + - name: ip + type: ip + description: > + The IP address of the client. + + - name: user_agent + description: > + Fields about the user agent information of the client. + type: group + fields: + + - name: raw_user_agent + type: keyword + description: > + The raw informaton of the user agent. + + - name: os + type: keyword + description: > + The OS informaton. + + - name: browser + type: keyword + description: > + The browser informaton of the client. + + - name: zone + type: keyword + description: > + The zone information of the client. + + - name: device + type: keyword + description: > + The information of the client device. + + - name: id + type: keyword + description: > + The identifier of the client. + +- name: outcome + title: Outcome of the LogEvent. + short: Fields that let you store information about the outcome. + description: > + Fields that let you store information about the outcome. + type: group + fields: + + - name: reason + type: keyword + description: > + The reason of the outcome. + + - name: result + type: keyword + description: > + The result of the outcome. Must be one of: SUCCESS, FAILURE, SKIPPED, ALLOW, DENY, CHALLENGE, UNKNOWN. + +- name: target + title: Target + short: The list of targets. + description: > + The list of targets. + type: array + fields: + + - name: id + type: keyword + description: > + Identifier of the actor. + + - name: type + type: keyword + description: > + Type of the actor. + + - name: alternate_id + type: keyword + description: > + Alternate identifier of the actor. + + - name: display_name + type: keyword + description: > + Display name of the actor. + +- name: transaction + title: Transaction + short: Fields that let you store information about related transaction. + description: > + Fields that let you store information about related transaction. + type: group + fields: + + - name: id + type: keyword + description: > + Identifier of the transaction. + + - name: type + type: keyword + description: > + The type of transaction. Must be one of "WEB", "JOB". + +- name: debug_context + title: Debug Context + short: Fields that let you store information about the debug context. + description: > + Fields that let you store information about the debug context. + type: group + fields: + + - name: debug_data + description: > + The debug data. + type: group + fields: + + - name: device_fingerprint + type: keyword + description: > + The fingerprint of the device. + + - name: request_id + type: keyword + description: > + The identifier of the request. + + - name: request_uri + type: keyword + description: > + The request URI. + + - name: threat_suspected + type: keyword + description: > + Threat suspected. + + - name: url + type: keyword + description: > + The URL. + +- name: authentication_context + title: Authentication Context + short: Fields that let you store information about authentication context. + description: > + Fields that let you store information about authentication context. + type: group + fields: + + - name: authentication_provider + type: keyword + description: > + The information about the authentication provider. Must be one of OKTA_AUTHENTICATION_PROVIDER, ACTIVE_DIRECTORY, LDAP, FEDERATION, SOCIAL, FACTOR_PROVIDER. + + - name: authentication_step + type: integer + description: > + The authentication step. + + - name: credential_provider + type: keyword + description: > + The information about credential provider. Must be one of OKTA_CREDENTIAL_PROVIDER, RSA, SYMANTEC, GOOGLE, DUO, YUBIKEY. + + - name: credential_type + type: keyword + description: > + The information about credential type. Must be one of OTP, SMS, PASSWORD, ASSERTION, IWA, EMAIL, OAUTH2, JWT, CERTIFICATE, PRE_SHARED_SYMMETRIC_KEY, OKTA_CLIENT_SESSION, DEVICE_UDID. + + - name: issuer + description: > + The information about the issuer. + type: array + fields: + + - name: id + type: keyword + description: > + The identifier of the issuer. + + - name: type + type: keyword + description: > + The type of the issuer. + + - name: external_session_id + type: keyword + description: > + The session identifer of the external session if any. + + - name: interface + type: keyword + description: > + The interface used. e.g., Outlook, Office365, wsTrust + +- name: security_context + title: Security Context + short: Fields that let you store information about security context. + description: > + Fields that let you store information about security context. + type: group + fields: + + - name: as + type: group + description: > + The autonomous system. + fields: + + - name: number + type: integer + description: > + The AS number. + + - name: organization + type: group + description: > + The organization that owns the AS number. + fields: + + - name: name + type: keyword + description: > + The organization name. + + - name: isp + type: keyword + description: > + The Internet Service Provider. + + - name: domain + type: keyword + description: > + The domain name. + + - name: is_proxy + type: boolean + description: > + Whether it is a proxy or not. + +- name: request + title: Request + short: Fields that let you store information about the request. + description: > + Fields that let you store information about the request, in the form of list of ip_chain. + type: group + fields: + + - name: ip_chain + description: > + List of ip_chain objects. + type: group + fields: + + - name: ip + type: ip + description: > + IP address. + + - name: version + type: keyword + description: > + IP version. Must be one of V4, V6. + + - name: source + type: keyword + description: > + Source information. + + - name: geographical_context + description: > + Geographical information. + type: group + fields: + + - name: city + type: keyword + description: The city. + + - name: state + type: keyword + description: The state. + + - name: postal_code + type: keyword + description: The postal code. + + - name: country + type: keyword + description: The country. + + - name: geolocation + description: > + Geolocation information. + type: geo_point diff --git a/x-pack/filebeat/module/okta/system/config/input.yml b/x-pack/filebeat/module/okta/system/config/input.yml new file mode 100644 index 00000000000..3d64581b838 --- /dev/null +++ b/x-pack/filebeat/module/okta/system/config/input.yml @@ -0,0 +1,35 @@ +{{ if eq .input "httpjson" }} + +type: httpjson +api_key: {{ .api_key }} +authentication_scheme: {{.authentication_scheme}} +http_client_timeout: {{ .http_client_timeout }} +http_method: {{ .http_method }} +http_headers: {{ .http_headers }} +http_request_body: {{ .http_request_body }} +no_http_body: {{ .no_http_body }} +interval: {{ .interval }} +json_objects_array: {{ .json_objects_array }} +pagination: {{ .pagination }} +rate_limit: {{ .rate_limit }} +url: {{ .url }} +ssl: {{ .ssl }} + +{{ else if eq .input "file" }} + +type: log +paths: +{{ range $i, $path := .paths }} + - {{$path}} +{{ end }} +exclude_files: [".gz$"] + +{{ end }} + +processors: + - script: + lang: javascript + id: okta_system_script + file: ${path.home}/module/okta/system/config/pipeline.js + params: + keep_original_message: {{ .keep_original_message }} diff --git a/x-pack/filebeat/module/okta/system/config/pipeline.js b/x-pack/filebeat/module/okta/system/config/pipeline.js new file mode 100644 index 00000000000..396650259c5 --- /dev/null +++ b/x-pack/filebeat/module/okta/system/config/pipeline.js @@ -0,0 +1,206 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +function OktaSystem(keep_original_message) { + var processor = require("processor"); + + var decodeJson = new processor.DecodeJSONFields({ + fields: ["message"], + target: "json", + }); + + var parseTimestamp = new processor.Timestamp({ + field: "json.published", + timezone: "UTC", + layouts: ["2006-01-02T15:04:05.999Z"], + tests: ["2020-02-05T18:19:23.599Z"], + ignore_missing: true, + }); + + var saveOriginalMessage = function(evt) {}; + if (keep_original_message) { + saveOriginalMessage = new processor.Convert({ + fields: [ + {from: "message", to: "event.original"} + ], + mode: "rename" + }); + } + + var dropOriginalMessage = function(evt) { + evt.Delete("message"); + }; + + var categorizeEvent = new processor.AddFields({ + target: "event", + fields: { + category: ["authentication"], + kind: "event", + type: ["access"], + + }, + }); + + var convertFields = new processor.Convert({ + fields: [ + { from: "json.displayMessage", to: "okta.display_message" }, + { from: "json.eventType", to: "okta.event_type" }, + { from: "json.uuid", to: "okta.uuid" }, + { from: "json.actor.alternateId", to: "okta.actor.alternate_id" }, + { from: "json.actor.displayName", to: "okta.actor.display_name" }, + { from: "json.actor.id", to: "okta.actor.id" }, + { from: "json.actor.type", to: "okta.actor.type" }, + { from: "json.client.device", to: "okta.client.device" }, + { from: "json.client.geographicalContext.geolocation", to: "client.geo.location" }, + { from: "json.client.geographicalContext.city", to: "client.geo.city_name" }, + { from: "json.client.geographicalContext.state", to: "client.geo.region_name" }, + { from: "json.client.geographicalContext.country", to: "client.geo.country_name" }, + { from: "json.client.id", to: "okta.client.id" }, + { from: "json.client.ipAddress", to: "okta.client.ip" }, + { from: "json.client.userAgent.browser", to: "okta.client.user_agent.browser" }, + { from: "json.client.userAgent.os", to: "okta.client.user_agent.os" }, + { from: "json.client.userAgent.rawUserAgent", to: "okta.client.user_agent.raw_user_agent" }, + { from: "json.client.zone", to: "okta.client.zone" }, + { from: "json.outcome.reason", to: "okta.outcome.reason" }, + { from: "json.outcome.result", to: "okta.outcome.result" }, + { from: "json.target", to: "okta.target" }, + { from: "json.transaction.id", to: "okta.transaction.id" }, + { from: "json.transaction.type", to: "okta.transaction.type" }, + { from: "json.debugContext.debugData.deviceFingerprint", to: "okta.debug_context.debug_data.device_fingerprint" }, + { from: "json.debugContext.debugData.requestId", to: "okta.debug_context.debug_data.request_id" }, + { from: "json.debugContext.debugData.requestUri", to: "okta.debug_context.debug_data.request_uri" }, + { from: "json.debugContext.debugData.threatSuspected", to: "okta.debug_context.debug_data.threat_suspected" }, + { from: "json.debugContext.debugData.url", to: "okta.debug_context.debug_data.url" }, + { from: "json.authenticationContext.authenticationProvider", to: "okta.authentication_context.authentication_provider" }, + { from: "json.authenticationContext.authenticationStep", to: "okta.authentication_context.authentication_step" }, + { from: "json.authenticationContext.credentialProvider", to: "okta.authentication_context.credential_provider" }, + { from: "json.authenticationContext.credentialType", to: "okta.authentication_context.credential_type" }, + { from: "json.authenticationContext.externalSessionId", to: "okta.authentication_context.external_session_id" }, + { from: "json.authenticationContext.interface", to: "okta.authentication_context.authentication_provider" }, + { from: "json.authenticationContext.issuer", to: "okta.authentication_context.issuer" }, + { from: "json.securityContext.asNumber", to: "okta.security_context.as.number" }, + { from: "json.securityContext.asOrg", to: "okta.security_context.as.organization.name" }, + { from: "json.securityContext.domain", to: "okta.security_context.domain" }, + { from: "json.securityContext.isProxy", to: "okta.security_context.is_proxy" }, + { from: "json.securityContext.isp", to: "okta.security_context.isp" }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }); + + var copyFields = new processor.Convert({ + fields: [ + { from: "okta.client.user_agent.raw_user_agent", to: "user_agent.original" }, + { from: "okta.client.ip", to: "client.ip" }, + { from: "okta.client.ip", to: "source.ip" }, + { from: "okta.event_type", to: "event.action" }, + { from: "okta.security_context.as.number", to: "client.as.number" }, + { from: "okta.security_context.as.organization.name", to: "client.as.organization.name" }, + { from: "okta.security_context.domain", to: "client.domain" }, + { from: "okta.security_context.domain", to: "source.domain" }, + { from: "okta.uuid", to: "event.id" }, + { from: "okta.uuid", to: "_id" }, + ], + ignore_missing: true, + fail_on_error: false, + }); + + var setEventOutcome = function(evt) { + var outcome = evt.Get("okta.outcome.result") + if (outcome != null) { + var o = outcome.toLowerCase(); + if (o == "success" || o == "allow") { + evt.Put("event.outcome", "success"); + } else if (o == "failure" || o == "deny") { + evt.Put("event.outcome", "failure"); + } else { + evt.Put("event.outcome", "unknown"); + } + } + } + + // Update nested fields + var renameNestedFields = function(evt) { + var arr = evt.Get("okta.target"); + if (arr != null) { + for (var i = 0; i < arr.length; i++) { + arr[i].alternate_id = arr[i].alternateId; + arr[i].display_name = arr[i].displayName; + delete arr[i].alternateId; + delete arr[i].displayName; + delete arr[i].detailEntry; + } + } + }; + + // Set user info if actor type is User + var setUserInfo = function(evt) { + if (evt.Get("okta.actor.type") === "User") { + evt.Put("client.user.full_name", evt.Get("okta.actor.display_name")); + evt.Put("source.user.full_name", evt.Get("okta.actor.display_name")); + evt.Put("related.user", evt.Get("okta.actor.display_name")); + evt.Put("client.user.id", evt.Get("okta.actor.id")); + evt.Put("source.user.id", evt.Get("okta.actor.id")); + } + }; + + // Set related.ip field + var setRelatedIP = function(event) { + if (event.Get("source.ip") != null) { + event.AppendTo("related.ip", event.Get("source.ip")); + } + if (event.Get("destination.ip") != null) { + event.AppendTo("related.ip", event.Get("destination.ip")); + } + }; + + // Drop extra fields + var dropExtraFields = function(evt) { + evt.Delete("json"); + }; + + // Remove null fields + var dropNullFields = function(evt) { + function dropNull(obj) { + Object.keys(obj).forEach(function(key) { + (obj[key] && typeof obj[key] === 'object') && dropNull(obj[key]) || + (obj[key] === null) && delete obj[key] + }); + return obj; + }; + dropNull(evt); + }; + + var pipeline = new processor.Chain() + .Add(decodeJson) + .Add(parseTimestamp) + .Add(saveOriginalMessage) + .Add(dropOriginalMessage) + .Add(categorizeEvent) + .Add(convertFields) + .Add(copyFields) + .Add(setEventOutcome) + .Add(renameNestedFields) + .Add(setUserInfo) + .Add(setRelatedIP) + .Add(dropExtraFields) + .Add(dropNullFields) + .Build(); + + return { + process: pipeline.Run, + }; +}; + +var oktaSystem; + +// Register params from configuration. +function register(params) { + oktaSystem = new OktaSystem(params.keep_original_message); +} + +function process(evt) { + return oktaSystem.process(evt); +} diff --git a/x-pack/filebeat/module/okta/system/ingest/pipeline.yml b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml new file mode 100644 index 00000000000..78f6fa37047 --- /dev/null +++ b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml @@ -0,0 +1,51 @@ +description: Pipeline for Okta system logs. + +processors: + - user_agent: + field: user_agent.original + ignore_missing: true + - geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + - geoip: + field: destination.ip + target_field: source.geo + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + - geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + - rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true + - rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true + - rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true + - rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true + +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/okta/system/manifest.yml b/x-pack/filebeat/module/okta/system/manifest.yml new file mode 100644 index 00000000000..639a4c95c80 --- /dev/null +++ b/x-pack/filebeat/module/okta/system/manifest.yml @@ -0,0 +1,55 @@ +module_version: "1.0" + +var: + - name: input + default: httpjson + - name: api_key + default: "" + - name: authentication_scheme + default: "SSWS" + - name: http_client_timeout + default: 60 + - name: http_method + default: GET + - name: http_headers + default: |- + {} + - name: http_request_body + default: |- + {} + - name: no_http_body + default: true + - name: interval + default: 60 + - name: json_objects_array + default: "" + - name: keep_original_message + default: true + - name: pagination + default: |- + { + "enabled": true, + "header": { + "field_name": "Link", + "regex_pattern": "<([^>]+)>; *rel=\"next\"(?:,|$)" + }, + } + - name: rate_limit + default: |- + { + "limit": "X-Rate-Limit-Limit", + "remaining": "X-Rate-Limit-Remaining", + "reset": "X-Rate-Limit-Reset" + } + - name: url + default: "" + - name: ssl + default: |- + {} + +input: config/input.yml +ingest_pipeline: ingest/pipeline.yml + +requires.processors: +- name: geoip + plugin: ingest-geoip diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log new file mode 100644 index 00000000000..a2644a7d3be --- /dev/null +++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log @@ -0,0 +1,3 @@ +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102nZHzd6OHSfGG51vsoc22gw","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"108.255.197.247","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"authnRequestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestId":"XkccyyMli2Uay2I93ZgRzQAAB0c","requestUri":"/login/signout","threatSuspected":"false","url":"/login/signout?message=login_page_messages.session_has_expired"}},"displayMessage":"User logout from Okta","eventType":"user.session.end","legacyEventType":"core.user_auth.logout_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T22:18:51.843Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"108.255.197.247","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkccyyMli2Uay2I93ZgRzQAAB0c","type":"WEB"},"uuid":"faf7398a-4f77-11ea-97fb-5925e98228bd","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"108.255.197.247","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"User login to Okta","eventType":"user.session.start","legacyEventType":"core.user_auth.login_success","outcome":{"reason":null,"result":"SUCCESS"},"published":"2020-02-14T20:18:57.718Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"108.255.197.247","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":null,"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3aeede38-4f67-11ea-abd3-1f5d113f2546","version":"0"} +{"actor":{"alternateId":"xxxxxx@elastic.co","detailEntry":null,"displayName":"xxxxxx","id":"00u1abvz4pYqdM8ms4x6","type":"User"},"authenticationContext":{"authenticationProvider":null,"authenticationStep":0,"credentialProvider":null,"credentialType":null,"externalSessionId":"102bZDNFfWaQSyEZQuDgWt-uQ","interface":null,"issuer":null},"client":{"device":"Computer","geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"id":null,"ipAddress":"108.255.197.247","userAgent":{"browser":"FIREFOX","os":"Mac OS X","rawUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0"},"zone":"null"},"debugContext":{"debugData":{"deviceFingerprint":"541daf91d15bef64a7e08c946fd9a9d0","requestId":"XkcAsWb8WjwDP76xh@1v8wAABp0","requestUri":"/api/v1/authn","threatSuspected":"false","url":"/api/v1/authn?"}},"displayMessage":"Evaluation of sign-on policy","eventType":"policy.evaluate_sign_on","legacyEventType":null,"outcome":{"reason":"Sign-on policy evaluation resulted in ALLOW","result":"ALLOW"},"published":"2020-02-14T20:18:57.762Z","request":{"ipChain":[{"geographicalContext":{"city":"Dublin","country":"United States","geolocation":{"lat":37.7201,"lon":-121.919},"postalCode":"94568","state":"California"},"ip":"108.255.197.247","source":null,"version":"V4"}]},"securityContext":{"asNumber":null,"asOrg":null,"domain":null,"isProxy":null,"isp":null},"severity":"INFO","target":[{"alternateId":"unknown","detailEntry":{"policyType":"OktaSignOn"},"displayName":"Default Policy","id":"00p1abvweGGDW10Ur4x6","type":"PolicyEntity"},{"alternateId":"00p1abvweGGDW10Ur4x6","detailEntry":null,"displayName":"Default Rule","id":"0pr1abvwfqGFI4n064x6","type":"PolicyRule"}],"transaction":{"detail":{},"id":"XkcAsWb8WjwDP76xh@1v8wAABp0","type":"WEB"},"uuid":"3af594f9-4f67-11ea-abd3-1f5d113f2546","version":"0"} diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json new file mode 100644 index 00000000000..5406413e333 --- /dev/null +++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json @@ -0,0 +1,232 @@ +[ + { + "@timestamp": "2020-02-14T22:18:51.843Z", + "client.geo.city_name": "Dublin", + "client.geo.country_name": "United States", + "client.geo.location.lat": 37.7201, + "client.geo.location.lon": -121.919, + "client.geo.region_name": "California", + "client.ip": "108.255.197.247", + "client.user.full_name": "xxxxxx", + "client.user.id": "00u1abvz4pYqdM8ms4x6", + "event.action": "user.session.end", + "event.category": [ + "authentication" + ], + "event.dataset": "okta.system", + "event.id": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "event.kind": "event", + "event.module": "okta", + "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102nZHzd6OHSfGG51vsoc22gw\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"authnRequestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestId\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"requestUri\":\"/login/signout\",\"threatSuspected\":\"false\",\"url\":\"/login/signout?message=login_page_messages.session_has_expired\"}},\"displayMessage\":\"User logout from Okta\",\"eventType\":\"user.session.end\",\"legacyEventType\":\"core.user_auth.logout_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T22:18:51.843Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkccyyMli2Uay2I93ZgRzQAAB0c\",\"type\":\"WEB\"},\"uuid\":\"faf7398a-4f77-11ea-97fb-5925e98228bd\",\"version\":\"0\"}", + "event.outcome": "success", + "event.type": [ + "access" + ], + "fileset.name": "system", + "input.type": "log", + "log.offset": 0, + "okta.actor.alternate_id": "xxxxxx@elastic.co", + "okta.actor.display_name": "xxxxxx", + "okta.actor.id": "00u1abvz4pYqdM8ms4x6", + "okta.actor.type": "User", + "okta.authentication_context.authentication_step": 0, + "okta.authentication_context.external_session_id": "102nZHzd6OHSfGG51vsoc22gw", + "okta.client.device": "Computer", + "okta.client.ip": "108.255.197.247", + "okta.client.user_agent.browser": "FIREFOX", + "okta.client.user_agent.os": "Mac OS X", + "okta.client.user_agent.raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "okta.client.zone": "null", + "okta.debug_context.debug_data.request_id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "okta.debug_context.debug_data.request_uri": "/login/signout", + "okta.debug_context.debug_data.threat_suspected": "false", + "okta.debug_context.debug_data.url": "/login/signout?message=login_page_messages.session_has_expired", + "okta.display_message": "User logout from Okta", + "okta.event_type": "user.session.end", + "okta.outcome.result": "SUCCESS", + "okta.transaction.id": "XkccyyMli2Uay2I93ZgRzQAAB0c", + "okta.transaction.type": "WEB", + "okta.uuid": "faf7398a-4f77-11ea-97fb-5925e98228bd", + "related.ip": "108.255.197.247", + "related.user": "xxxxxx", + "service.type": "okta", + "source.as.number": 7018, + "source.as.organization.name": "AT&T Services, Inc.", + "source.geo.city_name": "Dublin", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.7201, + "source.geo.location.lon": -121.919, + "source.geo.region_iso_code": "US-CA", + "source.geo.region_name": "California", + "source.ip": "108.255.197.247", + "source.user.full_name": "xxxxxx", + "source.user.id": "00u1abvz4pYqdM8ms4x6", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.15", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-14T20:18:57.718Z", + "client.geo.city_name": "Dublin", + "client.geo.country_name": "United States", + "client.geo.location.lat": 37.7201, + "client.geo.location.lon": -121.919, + "client.geo.region_name": "California", + "client.ip": "108.255.197.247", + "client.user.full_name": "xxxxxx", + "client.user.id": "00u1abvz4pYqdM8ms4x6", + "event.action": "user.session.start", + "event.category": [ + "authentication" + ], + "event.dataset": "okta.system", + "event.id": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "event.kind": "event", + "event.module": "okta", + "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"User login to Okta\",\"eventType\":\"user.session.start\",\"legacyEventType\":\"core.user_auth.login_success\",\"outcome\":{\"reason\":null,\"result\":\"SUCCESS\"},\"published\":\"2020-02-14T20:18:57.718Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":null,\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3aeede38-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "event.outcome": "success", + "event.type": [ + "access" + ], + "fileset.name": "system", + "input.type": "log", + "log.offset": 1665, + "okta.actor.alternate_id": "xxxxxx@elastic.co", + "okta.actor.display_name": "xxxxxx", + "okta.actor.id": "00u1abvz4pYqdM8ms4x6", + "okta.actor.type": "User", + "okta.authentication_context.authentication_step": 0, + "okta.authentication_context.external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ", + "okta.client.device": "Computer", + "okta.client.ip": "108.255.197.247", + "okta.client.user_agent.browser": "FIREFOX", + "okta.client.user_agent.os": "Mac OS X", + "okta.client.user_agent.raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "okta.client.zone": "null", + "okta.debug_context.debug_data.device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "okta.debug_context.debug_data.request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "okta.debug_context.debug_data.request_uri": "/api/v1/authn", + "okta.debug_context.debug_data.threat_suspected": "false", + "okta.debug_context.debug_data.url": "/api/v1/authn?", + "okta.display_message": "User login to Okta", + "okta.event_type": "user.session.start", + "okta.outcome.result": "SUCCESS", + "okta.transaction.id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "okta.transaction.type": "WEB", + "okta.uuid": "3aeede38-4f67-11ea-abd3-1f5d113f2546", + "related.ip": "108.255.197.247", + "related.user": "xxxxxx", + "service.type": "okta", + "source.as.number": 7018, + "source.as.organization.name": "AT&T Services, Inc.", + "source.geo.city_name": "Dublin", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.7201, + "source.geo.location.lon": -121.919, + "source.geo.region_iso_code": "US-CA", + "source.geo.region_name": "California", + "source.ip": "108.255.197.247", + "source.user.full_name": "xxxxxx", + "source.user.id": "00u1abvz4pYqdM8ms4x6", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.15", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15", + "user_agent.version": "72.0." + }, + { + "@timestamp": "2020-02-14T20:18:57.762Z", + "client.geo.city_name": "Dublin", + "client.geo.country_name": "United States", + "client.geo.location.lat": 37.7201, + "client.geo.location.lon": -121.919, + "client.geo.region_name": "California", + "client.ip": "108.255.197.247", + "client.user.full_name": "xxxxxx", + "client.user.id": "00u1abvz4pYqdM8ms4x6", + "event.action": "policy.evaluate_sign_on", + "event.category": [ + "authentication" + ], + "event.dataset": "okta.system", + "event.id": "3af594f9-4f67-11ea-abd3-1f5d113f2546", + "event.kind": "event", + "event.module": "okta", + "event.original": "{\"actor\":{\"alternateId\":\"xxxxxx@elastic.co\",\"detailEntry\":null,\"displayName\":\"xxxxxx\",\"id\":\"00u1abvz4pYqdM8ms4x6\",\"type\":\"User\"},\"authenticationContext\":{\"authenticationProvider\":null,\"authenticationStep\":0,\"credentialProvider\":null,\"credentialType\":null,\"externalSessionId\":\"102bZDNFfWaQSyEZQuDgWt-uQ\",\"interface\":null,\"issuer\":null},\"client\":{\"device\":\"Computer\",\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"id\":null,\"ipAddress\":\"108.255.197.247\",\"userAgent\":{\"browser\":\"FIREFOX\",\"os\":\"Mac OS X\",\"rawUserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0\"},\"zone\":\"null\"},\"debugContext\":{\"debugData\":{\"deviceFingerprint\":\"541daf91d15bef64a7e08c946fd9a9d0\",\"requestId\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"requestUri\":\"/api/v1/authn\",\"threatSuspected\":\"false\",\"url\":\"/api/v1/authn?\"}},\"displayMessage\":\"Evaluation of sign-on policy\",\"eventType\":\"policy.evaluate_sign_on\",\"legacyEventType\":null,\"outcome\":{\"reason\":\"Sign-on policy evaluation resulted in ALLOW\",\"result\":\"ALLOW\"},\"published\":\"2020-02-14T20:18:57.762Z\",\"request\":{\"ipChain\":[{\"geographicalContext\":{\"city\":\"Dublin\",\"country\":\"United States\",\"geolocation\":{\"lat\":37.7201,\"lon\":-121.919},\"postalCode\":\"94568\",\"state\":\"California\"},\"ip\":\"108.255.197.247\",\"source\":null,\"version\":\"V4\"}]},\"securityContext\":{\"asNumber\":null,\"asOrg\":null,\"domain\":null,\"isProxy\":null,\"isp\":null},\"severity\":\"INFO\",\"target\":[{\"alternateId\":\"unknown\",\"detailEntry\":{\"policyType\":\"OktaSignOn\"},\"displayName\":\"Default Policy\",\"id\":\"00p1abvweGGDW10Ur4x6\",\"type\":\"PolicyEntity\"},{\"alternateId\":\"00p1abvweGGDW10Ur4x6\",\"detailEntry\":null,\"displayName\":\"Default Rule\",\"id\":\"0pr1abvwfqGFI4n064x6\",\"type\":\"PolicyRule\"}],\"transaction\":{\"detail\":{},\"id\":\"XkcAsWb8WjwDP76xh@1v8wAABp0\",\"type\":\"WEB\"},\"uuid\":\"3af594f9-4f67-11ea-abd3-1f5d113f2546\",\"version\":\"0\"}", + "event.outcome": "success", + "event.type": [ + "access" + ], + "fileset.name": "system", + "input.type": "log", + "log.offset": 3287, + "okta.actor.alternate_id": "xxxxxx@elastic.co", + "okta.actor.display_name": "xxxxxx", + "okta.actor.id": "00u1abvz4pYqdM8ms4x6", + "okta.actor.type": "User", + "okta.authentication_context.authentication_step": 0, + "okta.authentication_context.external_session_id": "102bZDNFfWaQSyEZQuDgWt-uQ", + "okta.client.device": "Computer", + "okta.client.ip": "108.255.197.247", + "okta.client.user_agent.browser": "FIREFOX", + "okta.client.user_agent.os": "Mac OS X", + "okta.client.user_agent.raw_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "okta.client.zone": "null", + "okta.debug_context.debug_data.device_fingerprint": "541daf91d15bef64a7e08c946fd9a9d0", + "okta.debug_context.debug_data.request_id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "okta.debug_context.debug_data.request_uri": "/api/v1/authn", + "okta.debug_context.debug_data.threat_suspected": "false", + "okta.debug_context.debug_data.url": "/api/v1/authn?", + "okta.display_message": "Evaluation of sign-on policy", + "okta.event_type": "policy.evaluate_sign_on", + "okta.outcome.reason": "Sign-on policy evaluation resulted in ALLOW", + "okta.outcome.result": "ALLOW", + "okta.target": [ + { + "alternate_id": "unknown", + "display_name": "Default Policy", + "id": "00p1abvweGGDW10Ur4x6", + "type": "PolicyEntity" + }, + { + "alternate_id": "00p1abvweGGDW10Ur4x6", + "display_name": "Default Rule", + "id": "0pr1abvwfqGFI4n064x6", + "type": "PolicyRule" + } + ], + "okta.transaction.id": "XkcAsWb8WjwDP76xh@1v8wAABp0", + "okta.transaction.type": "WEB", + "okta.uuid": "3af594f9-4f67-11ea-abd3-1f5d113f2546", + "related.ip": "108.255.197.247", + "related.user": "xxxxxx", + "service.type": "okta", + "source.as.number": 7018, + "source.as.organization.name": "AT&T Services, Inc.", + "source.geo.city_name": "Dublin", + "source.geo.continent_name": "North America", + "source.geo.country_iso_code": "US", + "source.geo.location.lat": 37.7201, + "source.geo.location.lon": -121.919, + "source.geo.region_iso_code": "US-CA", + "source.geo.region_name": "California", + "source.ip": "108.255.197.247", + "source.user.full_name": "xxxxxx", + "source.user.id": "00u1abvz4pYqdM8ms4x6", + "user_agent.device.name": "Other", + "user_agent.name": "Firefox", + "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", + "user_agent.os.full": "Mac OS X 10.15", + "user_agent.os.name": "Mac OS X", + "user_agent.os.version": "10.15", + "user_agent.version": "72.0." + } +] \ No newline at end of file diff --git a/x-pack/filebeat/modules.d/okta.yml.disabled b/x-pack/filebeat/modules.d/okta.yml.disabled new file mode 100644 index 00000000000..19e2a1ad8f2 --- /dev/null +++ b/x-pack/filebeat/modules.d/okta.yml.disabled @@ -0,0 +1,17 @@ +# Module: okta +# Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-okta.html + +- module: okta + system: + enabled: true + # API key to access Okta + #var.api_key + + # URL of the Okta REST API + #var.url + + # Disable SSL verification + #var.ssl: |- + # { + # "verification_mode": "none" + # }